Slashdot Mirror
Creator of Sasser Worm Goes on Trial
Cobb writes "Creator of the Sasser worm Sven Jaschan begins his trial today in Verden, Germany. Arrested in May 2004, Jaschan faces charges for his crimes as a juvenile. A reward from Microsoft partially led to the capture of the virus creator. From the article: 'The charges, which also include disrupting public services and illegally altering data, carry a maximum sentence of five years in prison. However, court spokeswoman Katharina Kruetzfeld said that, as a minor, he faces a lesser penalty.'"
I wish I could put a bounty on people who made me look stupid.
Interesting conundrum for the legal system - do you let him off easy and give him a job at a security company - or hit him hard, and ruin a promising (although mischevious) programmer?
Physics is nothing like religion. If it was, we'd have an easier time trying to raise money!
They evidently saw his skills in identifying and essentially publicising weaknesses in the operating system in a positive light.
Perhaps he ought to be congratulated to some extent for this - Windows is now (barely) more secure.
That is a little like - "I was only curious about how much money was in the register, and how far I could run with it until I got caught".
This, along with prosecution of spammers, is a good start to reducing annoying aspects of the internet, but how far will this go to prevent others from replacing convicted pests?
Is there a way to tackle the problem "from the source" that would prevent would be spammers and virus creators from WANTING to do these things?
I think if enough offenders are prosecuted, and prosecuted severely enough, there is the potential to ward off others from commiting the same acts. However, if only a few, say 1 in 20 or less, virus creators/spammers/etc are caught, I don't think there will be enough push to stop others from taking their place.
Just like anything else in the world, if there is a low risk of punishment and a good chance of some sort of reward (monetary, pride, whatever) for some act, then someone will commit that act.
He only wanted to write a piece of code and see how far it would spread.
I only wanted to build a bomb and see how much it could distroy.
Web Design Tips
Maybe the Hacker Mentality needs to be tempered with regard to the consequences of ones actions.
I'm sorry Officer - I only shot him to see what would happen. You don't understand the hacker mentality
init 11 - for when you need that edge.
It'd be nice if his punishment was to do the work of all the IT personnell who had to clean up after his mess. I'd love to sit at home and relax while that little dweeb does my job. I'd be the one getting paid of course.
What he has done is ultimately a favor to microsoft.
He has demonstrated to them the importance of security, and demonstrated to end users the importance of patch management by exposing this vulnerability.
If he did not do it, someone else would have. We are just lucky Sasser was noisy and identifyable. A subtle worm which requires Tripwire to detect which spread on the same scale would be a disaster indeed!
Because of the profile in this case, I have to say toss the book at him. This will not scare the real hacker, but this will have a chilling effect on the casual script kiddies, and that is where the majority of worm/virus/junkware comed from.
But is he allowed to use a touch-tone phone?
Steven Wooston, Lead Programmer, J-J-J-Julius Games
Author of a CONSIDERABLE number of best-selling games
I don't give a rat's ass about the "hacker mentality" - why? Because they don't care about the rest of us.
This guy should get the max and should be made to pay restitution for all the trouble he caused.
I, for one, find no need in this world for worm writers, virus writers, phishers, Nigerian scammers, adware/spyware secret installers, keyboard loggers, and the rest of the trash that pollutes the otherwise exceptionally useful and wonderful Internet. Locking them away, and away from computers, for the rest of either their lives or my own -- which ever is shorter -- wouldn't bother me a bit.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Let's see him worm his way out of this!
If brevity is the soul of wit, then how does one explain Twitter?
Not really, because he didn't take anything. He caused trouble for people, sure, but not for personal gain. I'd say it's more like "I was only curious about how big the air force base was, and how close I could get to the nuclear missiles before I got caught". Not good, and shouldn't go unpunished, but not something to get a prison sentence for.
I am trolling
Sorry, fry the kid. Use this as YET ANOTHER wake up call that your computer is NOT a VCR. If parents cannot keep tabs on their kids computer use then they should take away the computer. If the parents cannot understand how to do this, then maybe they shouldn't have a computer till they learn. Responsibility is with the individual and/or mentors.
anyone who is dumb enough to brag about writing a virus to his "friends" is dumb enough to be caught and should face the penalties.
Or, I just wanted to light a little fire and see what happened.
-- Slashdot: When Public Access TV Says "No"
I do have to say that just because M$ is a security hole doesn't mean that exploiting it in a milicious was is right, or even justified. There are correct ways to report the vulnerabilities, and those are the paths that this person should have taken.
Think of it this way, if you have a kid that is playing in a playground, and you look away for a minute or two, is it right/justified for a kidnapper to take your kid? Sure, it was your fault that you were not looking, but does that mean that since there was an opening to take your kid, someone is justified in taking your kid?
Sure, would-be kidnapper may come up to you and say "hey man/lady, your kid isn't being watched and could be taken easily". Even if the parent STILL keep an eye on their kid, does that make it right for the kidnapper to THEN take your kid just to proove a point and to let other know you were not looking?
This hacker deserves to be put in prision, they need to send a message saying that making virus's isn't right and it will not be tolerated.
That is a little like - "I was only curious about how much money was in the register, and how far I could run with it until I got caught".
Pfft. Tell that to Wynona .
Sentence the kid to a computer science school.
These kids hack, because they are at the age of destructiveness. They don't have the vision and maturity to reach the creativity stage, because they have no role models to do so. This kid's skills are good enough to make him a skilled security professional, and he didn't know enough to hand Sasser over to a Secunia and make himself well known in the process and probably have job offers. I'd like to hear his rationale for releasing it into the wild before deciding on how to treat him, butmost of these kids do it for the kicks and respect of disfunctional peer groups (i.e. other hacking clans). Need to show them a better way.
Well, I would have had first post, but /. slowed down right away. All of the first comments came at almost the same time.
There go my bragging rights. It's odd though that everyone appeared at the same time as me to post, maybe I should take tinfoil hats more seriously.
Worms are a two-sided problem. In order for them to happen, it takes a software writer (far too often that software writer being named "Microsoft"...) to create software that has a ready-to-exploit flaw in it, and then it just takes one evil-minded programmer to kick a worm through that hole and make a mess that makes all of us wearing white hats have to do some serious cleanup and deal with downtimes .
While I'm glad the kid is going to get taken to justice, I'm still a little troubled by the fact that all Microsoft did for their part of it was to release a "you shoulda run Windows Update" patch and kicking in a quarter-million US dollar reward... both of which they're doing out of the kindness of Bill Gates' heart because there's no law requiring either of them.
I know small time programmers need liability protection from the abuse of their software... but shouldn't a large company like Microsoft be liable for the cleanup costs associated with their own security bugs?
Sorry, should have made my sarcasm more obvious.
I don't believe in capitol punishment at all. Not that some people don't deserve to die for their crimes mind you, but the goverment certainly isn't to be trusted with such decisions.
Minors get lesser penalties, because for the most part, they're all idiots.
While I feel this guy deserves to be punished, I don't feel he needs the book thrown at him.
DeviantArt Page
NSFWI think if a kid is capable of commiting a crime knowingly, then he should face the same punishment as an adult.
I think a lot of kids commit crimes with the "knowledge" that if they get caught, it would be a slap on the wrist and go away when they turn 18.
Where are the charges against the company who designed such a flawed operating system that would allow this exploit? NASA is investigated and while it is true that human life deserves the utmost attention, where is the committee examining why one single company and its OS have been responsible for such global meltdowns?
It is a crime to intentionally create malware causing harm to a system that was negligently and intentionally designed to be exploitable. This whole thing simply seems like another example of "the man" having power to be right and the little guy having nothing in response....
"All great things are simple & expressed in a single word: freedom, justice, honor, duty, mercy, hope." --Churchill
Why the **** is this on YRO??? What right is being compromised here? A kid's right to write worms and trojans that cost the public millions of dollars???
the hacker mentality is "don't harm anybody".
this guy is not a hacker
"Hanging's too good for him!
Burning's too good for him!
He ought to be chopped into little pieces and buried alive!"
Flash is the Herpes of the Internet.
your.opinion >
...and by the looks of it, you didn't give much thought to your post, or is that another aspect of "The Hacker Mentality"?
'if found convicted...'
Well, aside from the fact that your statement doesn't make much sense...
He confessed (or possibly 'made his convictions known') to the 'crimes.'
So, he has already admitted his guilt, and is now waiting to see how wide to open up.
Like 'Federal Pound-Me-In-The-Ass-Prison' wide, or Goatse wide...
No reason to lie.
The IT consultancy I worked for at the time our young German friend released his worm made a chunk of change cleaning up his mess he left behind. Frankly, I think he should be punished to the fullest extent of the law. He's no different then Mitnick and he went to jail for a long time, nor that fat tub of retard who modified Blaster who should have been posterboy'ed. *shrug*
Yes, but shouldn't Bill Gates go to jail for negligence, too?
Let me use this analogy: A kid throws a rock in a mountain, causing an avalanche. Turns out the guys who were warned about possible avalanches didn't do their work, like putting protective fences, blah blah.
So, when people die because of the rocks falling, suddenly a kid's the ONLY person guilty?
Give me a break.
Ah, but he was a minor. If you're going to fry someone, fry his parents. I'll bet you that will make a difference to the supervision levels of kids using computers.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
What kind of ridiculous talk is that? No one is forcing you to use the Microsoft operating system or even own a computer at all!
Sure its partially their fault for having a buggy OS but don't fool yourself into thinking that having a perfect OS is a god-given right.
If I burn your house, I don't take anything. If I install remote video surveilance in your bathroom, I don't take anything. If I duplicate your identity so that I can infiltrate the United States and destroy the Godless infidel, I don't take anything.
I cause trouble, sure, but not for personal gain.
Your analysis borders on the inane. The little moppet compromised enormous numbers of comptuer systems and put them in a state that people would generally acknowledge required substantial repairs or reconstuction.
Do they still sentence people to being gummed to dead by toothless rabid weazels?
.. at least according to the BBC:
http://news.bbc.co.uk/1/hi/technology/4649361.stm
Watch the Teaser Trailer for "The Lightning Thief" Her
The Law vs Justice has been a long fight and I don't see the end of it. People getting off on technicalities or getting caught because of their ignorance. Law cannot substitute for Justice - it can only be the fighting arm of Justice.
Also IMHO, they shouldn't try and make an example out of him - but they can't just let him loose either. I cannot say what to do - but that's why there are judges and courts.Quidquid latine dictum sit, altum videtur
Actually it's MicroSoft that should be sued for making so insecure and virus-prone software
:-)
Heh, that'll be the day... software security and stability has done nothing but go downhill since the mid 1990's. Programmers always bitched about how there were so many different types of hardware and so many different drivers, and this was why it was so difficult to create programs that worked well on every machine. Microsoft PROMISED that Windows '95 would take care of all the low level stuff, creating a uniform API and making the programmers' jobs easier. What we got instead was security holes, bloatware, BSOD's, and sloppy programming is now the industry NORM. God forbid you don't have internet access since you now EXPECT to need a patch for your software on or about the time it is released. The software business is the only one in the world that is allowed to knowingly sell you a defective product (oh no sorry, license a copy of sub-obtimal software) AND get away with it.
But nooo, Microsoft is not responsible at all. Poor Microsoft. End of rant
Seven puppies were harmed during the making of this post.
He'll get the maximum possible sentence. He embarassed a *monopolistic* megacorp with enough money to influence the legal system; they'll make sure the poor kid gets the book thrown at him for daring to fight M$ back.
Moreover, he is tried as a juvenile. In Germany, you are invariably tried as a juvenile up to 18 years of age, and more typically up to 21 years if the court determines that "your character is not completely formed". Sentences in a German juvenile court are not primarily for punishment, but to provide guidance and education. Very few juvenile offenders go to prison (and if yes, none goes to an adult prison). Typical sentences include mandatory social work or weekend arrests.
Finally, first time offenders always get much lower sentences, and prison sentences up to a year are nearly always suspended (for first-time offenders with reasonably behaviour and prognosis, so are some longer sentences).
So his risks of actually spending time in prison are rather low.
Stephan
He caused damage on his way in. Its more like, I invented a new tool to open up car doors. I'm going to run down the street, hit the button on every car, and then throw a bucket of paint in on the seat. People had to clean up his mess. Sure, let him work for a security company. He'll need a good job to pay off the bill they stick him with for his troubles.
Yes, but shouldn't Bill Gates go to jail for negligence, too?
are you fucking serious?
what about linux or freebsd? If Bill Gates went to jail, so would many others..including Linus.
This guy intentionally released a worm that caused damage. It's different than releasing software that has security holes. It's really about who you want to blame: the gun maker or the person that bought and shot the gun.
After that we can sue the banks. Did you know there are 1000s of sucessful bank robberies every year? Obviously, they make an insecure product.
My mattress at home has never been robbed. I call it Best Sleep Device.
After that we can sue the banks. Did you know there are 1000s of sucessful bank robberies every year?
Banks don't dock money from your account because they have been robbed.
Seven puppies were harmed during the making of this post.
I, for one, don't want to have my taxes used to incarcerate someone who doesn't pose a life or death threat to anyone else in society. Fine him up the ass, make him do community service for a decade, but there's no reason why we should throw essentially a social criminal who harmed no one but business into prison.
/. crowd, some super smart folks, who will quickly resort to violence over someone fucking with their geekdom.
I'm amazed by the
No sig for you!!
Maybe he shouldn't get let off so easily. Here Steven Landsburg, a PhD in Economics, explains the economic logic behind executing worm-creators
This analogy leaves out an important detail of the real case. If we add that it is absolutely certain that the avalanche would not have happened if the kid had not thrown the rock, then it's clear who's the guilty party.
Your analogy is flawed. Your kid would have to know how to hit one of the hard-to-find places that he knew would bring the mountain down.
His worm didn't infect millions of pcs worldwide out of dumb luck.
Ok, ok, let's be civilized -- just his left-hand pinky.
Generally, bash is superior to python in those environments where python is not installed.
As much as I'd love to condemn his actions, I started thinking about the first idea that came to my mind when I heard he was going to be locked away for awhile... something along the lines of a private collection to pay one of the bigger kids in juvey to beat the crap out of him daily. Somebody help me reason out why I'm right and he's still wrong! ;)
I worked in tech support at the time, and I say that as punishment he needs to be tied to a chair witha headset affixed to his head and take calls from people affected by the worm, and try to convince them that he shouldn't be put in prison. Writing a virus or a worm may be a fun/educational excercise, but to release it into the wild is a sign of stupidity, amorality, or sociopathy. In either case he needs to have his nose rubbed in this so he doesn't do it again, and more importantly so the next kid thinks twice before releasing his creation.
I don't think Microsoft are embarassed anywhere near enough. Everyone now thinks its this kid's fault, when really they ought to be screaming firstly at Microsoft for making OS's out of paper mache, and secondly incredibly incompetent sysadmins who were stupid enough to put Windows on critical systems, and didn't apply released patches!
Sasser didn't actually have a payload - it just replicated out of control. Virus writers like Sven are doing us all a favor at the moment by producing mere proofs-of-concept - imagine what'll happen when someone with actual destructive intention does something that actually *tries* to cause some harm!
Sorry, but I find your argument idiotic in the extreme. Arson seems a better analogy to his actions. Let's assume an unoccupied building, just to be fair.
Setting the fire causes trouble for people, but not for personal gain. It's like "I was only curious how fast the fire would spread, and how much would burn down before the fire department could respond."
Do you think arson is "Not good, and shouldn't go unpunished, but not something to get a prison sentence for."? Does a five year maximum sentence really seem unreasonable?
While we're at it, do you really think you're not going to be risking jail time if you try to see how close you can get to the nuclear missles? I'd assume there would certainly be jail time if you got close at all, assuming you don't do really well, and get close enough to just be shot on sight.
If we add that it is absolutely certain that the avalanche would not have happened if the kid had not thrown the rock, then it's clear who's the guilty party.
Problem is, the kid wasn't the FIRST ONE to throw a rock at the same spot. If he's not the first, but the FIFTH, aren't the people in charge of that mountain responsible?
Safety-critical environment?
How about British Airways*, the UK Coastguard, and Australian Railcorp? What anyone was thinking putting Windows in places like this, I have no idea - and even worse, evidently without a working patching regime!
* check-in only apparently, I'll grant that
I thought that said faeces. Perhaps I should go to the loo.
Get your own free personal location tracker
Use this as YET ANOTHER wake up call that your computer is NOT a VCR.
But both of them can be used for watching pr0n!!!
Execution is out because it is illegal within the EU too.
these kids don't go after linux because none of you assclowns have shit but 200 slashdot related bookmark entries in one of the 3 apps you use, the other 2 being irc and email.
if linux ever 'wins' this half imagined 'OS war' you will have shitloads of bored 16 year olds ripping the hell of *it* instead of windows.
enjoy your obscurity and impotence while it lasts,
Ah, but he was a minor. If you're going to fry someone, fry his parents. I'll bet you that will make a difference to the supervision levels of kids using computers.
You may not have been serious, but luckily for everyone concerned Germany is in the EU - where the prohibition of the death penalty is a condition of entry. Plus it would appear that the West German constitution of 1949 abolished it anyway.
I've never quite understood how supposedly civilised countries can put their citizens to death, for whatever reason. The no-death-penalty, no-extradition-to-face-execution clauses of EU membership make be inordinately proud of being European...
Tedious Bloggy Stuff - hooray?
Kid's make mistakes, I don't think he should be thrown in jail and have his life ruined because of a childish (yes this is very childish of him) mistake.
However, he's taught a lot of people to take security more seriously. I think anyone would agree that because of this kid, a lot of systems are more secure.
Plus I don't think the "hacker mentality" works in cases like this. I don't think when he created and released this code he was thinking of what would happen. He was probably just curious, but not out to hurt anyone. This might have just been something "cool" to him. In any case, I don't think he should be thrown on the same level as say Karla Homolka. Take away his computer or restrict his computer privileges. Don't throw him in jail. He's not a murderer (refer to the google link provided).
They opened an RPC DCE receiver port on everyones home PC. They were warned it was an unnecessary security risk, they didn't audit the code or block it. It was cracked.
So they should get a fine otherwise they'll never clean up their act.
...I only shot him to see what would happen...
Hee hee
What?
Software security has been going downhill a lot longer than that. Computers were a lot safer before we started plugging them into each other. There are a lot of cool things that come with large scale networks, but there are also some annoyances.
Making a mistake is like, forgetting to study for a test. Burning yourself on a hot pot. Killing a plant because you forgot to water it.
Sending out something that self-replicates, just because he wanted to see if he could do it, isn't a "mistake", it's "stupidity". If he were the first one ever to try it, then I could see it possibly being a mistake, but well, it wasn't, it's obvious he KNEW that others did it, so he has no innocence at ALL in this case. He knew what he was trying to do, and he set it out unto the world. He deserves everything he gets. And since he's a minor, his parents should be made to pay any fines he incurs for not paying more attention to what their kid was doing.
But in Germany, it is illegal to spank your children. If they grow up to be undisciplined little snots, how can the government hold parents responsible when the government took away the parents' freedom to discipline their children as they see fit?
Debating whether to post AC.... Nah.
taken! (by Davidleeroth) Thanks Bingo Foo!
1) Not every kid is enough of a sociopath to pull shit like this. (When you infect a hospital's software systems and maybe destroy patient's records the patient can die.) They may know that they can do it, but they are also aware enough to understand the consequences. Any one of the age of reason (seven years old) should know that you just can't do that sort of thing (even the nastiest bully I ever knew knew that, he did it anyway but he at least knew it.)
2) Not every employer is going to want to hire such a sociopathic kid and I would caution the kid that having such 'L33t Sk1lz' is more likely to land him a job with the wrong type of employer, one who let him swing in the breeze when they eventually get caught screwing with bank accounts.
I would buy the kid a Mac 'sans' XCode CD-ROM and keep him away from L33t haxxor tools, for every body else's protection.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
Only the US has 'Federal Pound-Me-In-The-Ass-Prison' prisons, AssHole! Nobody else over five years old finds it even remotely funny. What's wrong with you people?
Five Years? That's no big deal then. He'll be on parole before Longhorn actually ships :-)
Wonder if he's had any job offers?
If anything, this guy would be smart to sell the book rights to Hollywood.
Yes, you are inordinately proud, indeed.
Ok, how about a fine of $1 for each computer he infected? No prison time, and an appropriate punishment for the scale of the crime.
Why is it always someone else's fault for not putting up protective fences? If you don't want to be in the path of a potential avalanche, do your own research on the area first. They're not all that common in most people's everyday lives.
It sounds like the kid and god are conspiring against the kid and anyone else in the path of the avalanche. I sure wouldn't blame some minimum wage fence jockeys. I bet they already have enough problems.
I think your time would be better invested in spelling lessons.
Your analogy is erroneus; the correct form is: This is almost like saying Bin Laden did a good thing by levelling World Trade center - because he created awareness of errors in the twin towers design.
Something about the haughty tone of this post makes me think the poster is a hearty advocate of abortion....but nobody wants to swim in these waters, now do they ;)
"Me? Lady, I'm your worst nightmare -- a pumpkin with a gun."
Jaschan: You want answers?
Prosecutor: I think I'm entitled to them.
Jaschan: You want answers?
Prosecutor: I want the truth!
Jaschan: You can't handle the truth! Old man, we live in a world that has firewalls. And those firewalls have to be setup by men with MCSEs. Who's gonna do it? You? You, Mr. Ballmer?
I have a greater responsibility than you can possibly fathom. You weep for Windows XP and you curse Microsoft. You have that luxury. You have the luxury of not knowing what I know: that Windows XP has faults, while tragic, probably saved jobs. And my existence, while grotesque and incomprehensible to you, saves jobs...
You don't want the truth. Because deep down, in places you don't talk about at LAN parties, you want me on hacking that firewall. You need me finding exploits in that firewall. We use words like reboot, blue screen, exploits, Microsoft...we use these words as the backbone to a life spent hacking something. You use 'em as a punchline.
I have neither the time nor the inclination to explain myself to a man who rises and sleeps under the blanket of the very exploits I find, then questions the manner in which I exploit it!
I'd rather you just said thank you and went on your way. Otherwise, I suggest you pick up a real firewall and configure it. Either way, I don't give a damn what you think you're entitled to!
Prosecutor: Did you write the Sasser worm?
Jaschan: (quietly) I did the job you sent me to do.
Prosecutor: Did you write the Sasser worm?
Jaschan: You're goddamn right I did!!
Give him something constructive to do, instead of misdirecting his time and talents (read: community service in the technology field).
Maybe his parents weren't paying any attention to him, or perhaps he felt lonely and unnoticed. We don't know what this kid has gone through, but he probably doesn't belong in a jail cell!
Just because the kid caused some of you sysadmins a hard time (ok, you lost some money too) doesn't mean he shouldn't receive mercy and understanding. The kid has some skillz and motivation (better than alot of kids who waste their lives smoking pot and playing xbox), so let's utilise his talents and give him a future.
SEO Copywriter. Just Say ON
No, but then you're (presumably) deliberately and maliciously causing damage. (I probably should have put that in too) If you burn my house down without trying to damage anything, I don't think you should go to prison. Pay for the damages you did, definitely, pay more in fines, sure.
If I install remote video surveilance in your bathroom, I don't take anything.
No, but you're doing it for personal gain.
If I duplicate your identity so that I can infiltrate the United States and destroy the Godless infidel, I don't take anything.
You're doing it for personal gain though.
I am trolling
Having such a disfunctional and insecure OS that it lays down and spreads its legs to every sailor in the fleet should be a criminal offense and the penalties should be the same (eevn if it means that some 'Thyphoid Mary' Mallon lies in limbo until she croaks.)
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
But there wasn't any bucket. If he'd deliberately deleted files or something then fair enough. It rebooted PCs because of a stupid windows default setting, not any intent to cause damage.
I am trolling
Would he be eligible for trial elsewhere since his crime went beyond German borders? In short: will America and others be allowed to give him a therapeutic cockpunch?
If you didn't come to party don't bother knocking on my door. Prince '1999'
So lets just say that theoretically this guy and the guy who turned him in are working together. Adult writes the worm and gives it to the kid. Kid releases it onto the unsuspecting Internet. Adult turns him in. Kid gets a slap on the wrist Adult collects $250,000. A few months down the road, adult splits the cash with the kid. Profit!
The kid won't have any incentive to screw his partner over - he released the worm, so he's guilty regardless. The adult could provide the kid with some proof about who really wrote the worm. If the adult tries to keep the cash, the kid turns him in and the adult gets put away for 10 years and loses the reward money, to boot.
It's the land of the brave, and the home of the free
Where the less you know, the better off you'll be.
Anything less is hypocrisy and posturing - "having our cake and eating it, too"...
Reason is the Path to God - Anon
i agree to a point.. honestly, what did he do? created a piece of software that exploited insecure code and enabled a function of the OS (RPC system shutdown).
The charges, ..., carry a maximum sentence of five years in prison.
At least he wasn't busted with pirated music. That carries a real penalty.
OK, you could say the writer wished to cause harm irrespective of target. Like dumping nails on a road. But then you get into a slippery slope of criminal intent. He caused harm. What about all those who spread their worm through their unpatched systems? What about those who had been warned and still left their systems unpatched? What about those who might have willfully removed patches?
No internet, no TV, no human contact at all.
I'd lock him up on a fenced in acre of Wyoming with a bunch of books on ethics and have his meals brought in by an armored book mobile robot.
Later, I'd expand the range of books to include self-help books.
His attitude and actions deserve ostracism and we deserve to be protected from him.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
Stephan
Boutny hunter? I've never seen a boutny before.
Reading people's replies on Slashdot to things like this often appalls me. This kid caused annoyance to many people and wasted time, and subsequently money. However, how much time and money is his freedom worth? We are talking about potentially locking someone up in jail/prison for writing code. Ripping their freedom away for pushing keys. Sure, they caused trouble, but is it worth taking away their freedom for? Also, his attacks caused the most time loss and money loss for huge corporations. I don't have much sympathy for a soulless, money grubbing corporation. That is what corporations are, but I would much rather see a corporation lose some money than a person go to jail/prison.
This also seems to show just how obsessed we are with computers. We are willing to throw a kid in jail because he temporarily caused us computer annoyance. What the hell is our world coming to? Ban him from computers or something. Sentence him to teaching Microsoft how to have a more secure system.
This guy has skills and his freedom is worth more than money in a CEO's bank. He messed up and did something stupid, but you should never take away a person's freedom for something like what he did.
I think a lot of people could learn a bit from placing themselves in other people's shoes, such as this guy's parents, or friends, family, etc. What if this was your kid, or your best friend? Sure, some of you say monitor your kids more. You can't always have time to do that. Kids are sneaky. Kids need privacy. Are you going to sit and watch everything your teen does 24/7? Are you going to monitor all his coding into the night?
Dustin - A different story...
If the manufacturer claimed that the lock would be proof against a credit card, then he shares in the fault.
If, however; on the lock package there was a phrase like, "This lock is provided AS IS, and is not warranted nor guaranteed to be fit for any particular use or purpose whatsoever and any loss of personal property or data is all YOUR FAULT!" then you're silly to trust it.
Exam 4/C again. Maybe I'll do better this time.
Well, it really seems like a knee-jerk reaction. After all, we were all told to be aware of guys with knifes and wear protective vests several months up front.
Or "I just wanted to poison him so I could have sex with his dog all day."
Jeez, can we keep going with the stupid analogies?
To go down the garden path of increasing awareness, try this analogy.
Sasser boy is riding a rollercoaster.
He notices a loose screw.
Does he
A. Inform the rollercoaster operator of the problem
B. Attempt to repair it himself
C. Unscrew it to demonstrate the safety risk of the initial poor design/maintenance?
Yes, there is only one right answer here - and it sure ain't C. If Sasserboy wanted to do something noble, he could have programmed a workaround to patch the hole until M$ could release their patch.
Instead, he took the screw out.
Idiot. We don't need people like this in IT. Common sense is slightly more important than technical savvy - remember, most hacks are social engineered ones.
Yeah, I know, and I agree with you really. They pretty much did this in the UK recently as well, and all it's done is produce a mini-generation who walk up to you, swear, key the side of your car, kick your bin over spilling rotting food all over your garden, and then reply "Yeah, whatever" when you ask them what they think they're doing.
This is what happens when political correctness and a nanny state don't get stamped on forcibly and quickly by people with common sense. Just ask the teachers... if there are still any left! :-(
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
German law recognizes that in such situations most of the responsibility falls to the adult, regardless of who commits the actual act.
Of course there may be a problem with enforcement (i.e. you might not be able to fix it on the adult). But there is no reason why the juvenile should be punished for the incompetence of the prosecution.
Stephan
He is charged with stupidity.
Kid? He was 17 at the time. If you're watching over your 17-year-old's shoulder every second he's on the computer, you're the one with a parenting problem.
I've upped my standards, so up yours.
Fry the kid - figure of speech. Make an example of him AND his parents. Take away their stuff and fine them, not kill them. This is a deterrant only to careless parents and clueless kids.
If it weren't for the Plague then a part of the population today would not be immune to HIV. The Plague helped promote the Delta32 mutation that has saved lives today. Hackers are facilitating better code for the world. Only the fittest survive.
The damage was data that could be recreated. Costing people time is irrelevant (no honestly it is) unless that time is expensed or billed (then it becomes relevant). Murders can eventually make their way back into society just like any other criminal. Your sentence is how you are punished. Like it or not. He has the right to pursue a career after he has done his time. This isn't to say that people shouldn't be able to pursue him for punitive damages... If you can say "You cost me $4M" I believe you have the right to (attempt to) sue him for that cost. Good luck getting that out of a minor though.
Oops, how did this get here?
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
I can understand everything you said except for the last sentence. If you were a kid, and your parents saw you scripting/programming, I wouldn't think they'd know you were writing a virus of all things. Even if they did ask, would you answer them with "I'm writing a virus". If we are going to blame the kid, let's not get the parents involved who are most likely computer-illiterate.
Crack dealers are often very good businessmen, and have to work hard to keep the supply chains running, salesmen on the streets, etc. We don't normally see them working for the DEA afterwards, or getting jobs on Wall Street with their acquired skills. Instead we lock them up for 20 years.
Crack dealers may be great businessmen on the streets, but often there are a different set of skills required to make it in legitimate businesses. Respect for social structure, having "cultural capital" (the ability to maneuver in these structures) and deal with gov't beuracracy, ect are things one working in underground markets doesn't have to deal with as much. For an example of an drug dealer trying to make it in legal business, I would suggest reading Philippe Bourgois's In Search of Respect : Selling Crack in El Barrio. A text common in many Sociology classes.
The guy that turned him over is now under investigation as well, BTW. So I guess this plan would be quite risky.
On the other hand, if Microsoft could come up with some half-assed evidence that the informant was involved somehow, they'd save themselves $250,000.
I mean sure, it's not much, but every little bit counts.
It's the land of the brave, and the home of the free
Where the less you know, the better off you'll be.
Sorry. I linked to the old edition.
This is the current one.
...you're (presumably) deliberately and maliciously causing damage.
But creating a worm ISN'T deliberately and maliciously causing damage? After all, we can only buy the "I didn't intent this to be released onto the public networks" excuse so many times. Even then, a functioning worm constitutes an unjustifiable and unreasonable risk of damage when the only novel component is the particular exploit.
If you burn my house down without trying to damage anything, I don't think you should go to prison.
Nice for you. Unfortunately the law has a more complete vision. If you burn your house down with a reckless disregard of a substantial risk that the fire will spread and burn my house down, then you are guilty of arson and will go to prison. Seems appropriate in the worm context as well.
No, but you're doing it for personal gain.
But creating a worm DOESN'T result in personal gain? Especially in my first example - what personal gain? The satisfaction of seeing your johnson? Is that anything like the satisfaction of seeing a network with thousands of computers dissolve into anarchy and malfunction?
In my second example, I don't recall if the original Sasser worm had any remote command functionality, but the successors sure as hell came with it. That's the same thing as stealing your identify vis a vis a computer network.
His right to be prosecuted to the full extent of the law? Everybody else's rights to see justice served? The rights he's given up by breaking the law?
Just because it's relating to rights doesn't mean the case shouldn't be happening.
Karma: Non-Heinous
That oughta allow anyone to do it.
In the UK, Sasser forced staff at the Maritime and Coastguard Agency to return to manual map reading because computer systems were made unusable by the worm.
Check-in for some British Airways flights was also delayed thanks to Sasser.
Around the world, the Australian Railcorp trains stopped running because computer problems caused by Sasser made it impossible for drivers to talk to signalmen.
In Taiwan, more than 400 branches of the post office were forced to use pen and paper because Sasser crashed desktop PCs.
These are not mere annoyances to "soulless" corporations (which, by the way, employ lots of real people -- perhaps even yourself!). The failure of the UK Coast Guard's system or the train dispatching system in Australia could have easily killed people.
You're treading a dangerous path there, one in which all software authors are held legally responsible for bugs in their code.
Remember the first internet worm? That was an exploit in sendmail. There are rootkits for linux.
Still think the authors should go to jail? Or is it somehow different because MS charge for Windows? My company has bought plenty of copies of RedHat...
(Oh, I'm ignoring the fact that that's the most flawed analogy I've read here in a long time - the author of the sasser worm wasn't some innocent kid idly throwing stones)
It's official. Most of you are morons.
The problem with juvenile cases taking years to determine a verdict, is that the defendant might no longer be a juvenile when the verdict is rendered. The basis for special sentencing of the juvenile comes from the recognition that juveniles can be easier to rehabilitate than adults, who don't learn as easily. When you put a juvenile behind bars, you're already starting to teach them they're criminals. When you leave them there for years, until they're adults, you've probably created a criminal, even if they could have been easily rehabilitated early - even if they were not guilty. Juvenile cases should be among the highest priorities, as justice delayed extracts a terrible cost, for the rest of their lives, in or out of "the system".
--
make install -not war
This article is pretty slim on actual information on the malicious intent of the virus. CNN had a pretty good article on it, which stated that it didn't have a malicious payload, it just did what a worm does and that slowed down networks. In fact, when he realized what it was doing, he tried to release a fix, AND he was trying to create a virus that would automatically stop other viruses.
Lots of misplaced anger in this thread. He made a mistake, he admitted it, so all of you, especially those with pirated, not updated copies of Windows, please move along.
You're treading a dangerous path there, one in which all software authors are held legally responsible for bugs in their code.
Well, Microsoft has been constantly notified of bugs in their code, and they've been neglecting to fix them just to spread the illusion that Windows is a secure platform. Many bugs in IE were unattended for even a year, until the first large-scale virus began to stain the flawless image that Microsoft had done.
And they wouldn't have innovated anymore if it wasn't for the competition (competition, which, btw, they drove out of business by using monopolistic practices).
Isn't this is equivalent to the CIA failing to inform correctly about Bin Laden's plans to bomb the towers? Think about it.
Open source software, on the other hand, leaves the responsibility of finding flaws to developers. After all, the source is open. With Windows, however, it's not. So it's Microsoft's responsibility to find flaws and security holes. How have they carried this responsibility?
Let's say 2,000,000 people were affected, and it wasted 1 hour of their time. That's 2,000,000 hours of human time. The average life is about 450,000 hours. Moreover, it was intentional. He destroyed at least four entire lives!! He deserves death, or whatever penalty you think a pre-meditated mass murderer deserves.
P.S. I'm not kidding.
nt
It's really telling that he was the guy to get but M$ get's off with no responsibility whatsoever. Not that they should be prosecuted, but they could write code to fry your machine and their EULA obfiscates them of any responsibility. This always got me about their position against Linux. "No one is responsible!" they say. Yet, who at M$ is responsible for leaving the door open to such attacks?
I think that things like that are examples of unintended consequence. It reinforces the need for this guy to be punished; however jail time is still harsh, particularly as no one was hurt.
On the up side, this reminds businesses, corporations, and governments to actually secure their systems. If a worm can get in and cause this trouble, imagine if someone malicious did the same and altered the system to try and cause more trouble, for example altering data or control so that trains would crash into each other. This is a wake up call for people that security is important in their systems, particularly if they are on networks and run important things which interface with life safety. The results of this were much less than they could have been had this programmer been more malicious.
Like I said, this guy made a bad choice in placing this worm online and still needs to be punished. I just don't think locking someone up is a good solution. There are much worse crimes than what he did, his just happened to effect a very large number of people, often due to the carelessness or ignorance of persons in charge of certain systems or equipment.
Dustin - A different story...
Death Penalty
Has it worked?
put him in charge of the IT department in any large scale office environment with more than 25, but less than 50 employees. 1. He won't get any help because they'll keep telling him they're over budget. 2. He will spend hard time each day fixing not only the problems that he helped spread and design, but all the annoying little in between stuff that has to be done NOW. (like trying to resurrect Outlook profiles after ghost emails start appearing) 3. The work-to-pay ratio will be so off that he will think that he is losing money instead of earning it. 4. He'll be too busy to consider a script for CounterStrike, much less writing code.
It takes just a moment and an action to destroy. It takes some time and thought to create.
"We are talking about potentially locking someone up in jail/prison for writing code."
If you think this guy is guilty of merely "writing code", you need to reexamine the situation.
-- "I never gave these stories much credence." - HAL 9000
Dear Sven, Screw you for all the phone calls I've gotten; "hey, my computer keeps shutting down, can you look at it for me."
So what ?
Explain me why the Maritime & Coastguard Agency, or British Airways, or even the Australian Railcorp connects their computers to the global network we call the internet ? Explain me why they use an untested system (Windows) to operate potentially life-threatening services ?
This is downright stupid. This is not your mom and pop shop we're talking about. These are agencies, corporations, that should have security of their people or the people they serve as their first rule. You do not put in operation a system that you haven't tested for failure. There are well-known procedures to implement safety testing. I really think that the persons responsible for these systems should be at least fired, if not put on trial. This guy didn't put bricks on the track, didn't try to put a bomb in a plane, things that are clearly difficult to avoid by applying well-known methods. However, safety-testing of a computer system is possible and relatively easy, if you're not trying to be the cheapest. When I board a train I expect the wheels are checked regularly, the structure won't collapse from vibrations. We should also expect the computer system not to collapse without serious reasons.
Mitnick was in solitary. Gauntanamo is totally different from other prisons... Political prisoners and PoW's... Not Big Black Guys Named Tiny.
Because other civilized countries recognize that not necessarily all killing is wrong, and in certain cases the execution of a criminal is in the best interest of the state. There are no moral objections to executing somebody who has violated their responsiblity as a citizen to obey the most important laws of the country. The criminals still have the right to due process, and most sit on death row for a very long time before they are actually executed. Even Timothy McVeigh, the man behind the largest domestic terrorist attack in U.S. history, was not executed until six years after the Oklahoma City bombing. In the Unites States, while this punishment is legal in certain states, it is very rarely used. Except in Texas.
Then you're silly to trust any of them.
Not silly to use them, but silly to trust them very far.
Luckily, backups of data are relatively easy, compared to backups of personal property.
I was just imagining:
I purchase a copy of each of my personal posessions each month.
I keep each backup set in a fireproof storge unit in different parts of the city.
When a backup set is 5 years old I destroy it by putting it through a strong magnetic field. The furniture doesn't seem to get very destroyed, though, so I do it twice with the furniture.
I've considered incremental backups, but prefer the redundancy of full backups.
Exam 4/C again. Maybe I'll do better this time.
The US and Japan are the only remaining developed-world countries who do this.
Me (Blog)
Something about the haughty tone of this post makes me think the poster is a hearty advocate of abortion...
;-)
Well, you'd be wrong - I feel that abortion is pretty loathsome too...
Tedious Bloggy Stuff - hooray?